comparison mod_http_oauth2/mod_http_oauth2.lua @ 6242:ef81c67e1ae7

mod_http_oauth2: Allow zero response types (e.g. with the password grant)
author Kim Alvefur <zash@zash.se>
date Tue, 03 Jun 2025 16:59:07 +0200
parents b460b2a65f0b
children 5b269511ade7
comparison
equal deleted inserted replaced
6241:b460b2a65f0b 6242:ef81c67e1ae7
1296 default = "web"; 1296 default = "web";
1297 }; 1297 };
1298 response_types = { 1298 response_types = {
1299 title = "Response Types"; 1299 title = "Response Types";
1300 type = "array"; 1300 type = "array";
1301 minItems = 1;
1302 uniqueItems = true; 1301 uniqueItems = true;
1303 items = { type = "string"; enum = { "code"; "token" } }; 1302 items = { type = "string"; enum = { "code"; "token" } };
1304 default = { "code" }; 1303 default = { "code" };
1305 }; 1304 };
1306 client_name = { 1305 client_name = {
1468 return nil, oauth_error("invalid_client_metadata", "Inconsistency between 'grant_types' and 'response_types'"); 1467 return nil, oauth_error("invalid_client_metadata", "Inconsistency between 'grant_types' and 'response_types'");
1469 end 1468 end
1470 1469
1471 if set.intersection(grant_types, allowed_grant_type_handlers):empty() then 1470 if set.intersection(grant_types, allowed_grant_type_handlers):empty() then
1472 return nil, oauth_error("invalid_client_metadata", "No allowed 'grant_types' specified"); 1471 return nil, oauth_error("invalid_client_metadata", "No allowed 'grant_types' specified");
1473 elseif set.intersection(response_types, allowed_response_type_handlers):empty() then
1474 return nil, oauth_error("invalid_client_metadata", "No allowed 'response_types' specified");
1475 end 1472 end
1476 1473
1477 if client_metadata.token_endpoint_auth_method ~= "none" then 1474 if client_metadata.token_endpoint_auth_method ~= "none" then
1478 -- Ensure that each client_id JWT with a client_secret is unique. 1475 -- Ensure that each client_id JWT with a client_secret is unique.
1479 -- A short ID along with the issued at timestamp should be sufficient to 1476 -- A short ID along with the issued at timestamp should be sufficient to